Why is the average cost of cyber liability insurance starting to double from one year to the next, and what can you do about it?
In the past, getting a high-quality, affordable policy was as simple as providing your revenue and some basic information about your cyber security controls. Today, you must fill out a detailed annual questionnaire about your security practices, and if your answers aren’t satisfactory, you could see your premiums skyrocket – or worse, be denied a renewal on your existing policy and be unable to get a quote from other insurers.
To keep yourself insurable and the cost of coverage under control, insurance and cyber security experts recommend doing these ten things:
- Implement multifactor authentication (MFA) everywhere. MFA reinforces your passwords by adding a second layer of security that confirms you are who you say you are when you log into a device, application, or online service. We’ve put this at the top of the list because it reduces the chances of account compromise 1000x. To maximize its effectiveness, you must implement MFA for all of your applications and online services.
- Encrypt your data. Governments impose fines and require disclosure if a device containing unencrypted sensitive information is lost or stolen, so at the very least, we recommend encrypting data on company-owned laptops, phones, and other endpoints. If you are using a cloud backup service for sensitive information, we also recommend encrypting your data while it is in transit to your service provider and once it reaches its destination.
- Ensure your backups work and are protected from ransomware. Backed up data is useless if it’s not available when you need it, so make sure your backups work. Once a quarter, choose a few random files to restore (making sure not to overwrite newer versions) and open them to confirm that they’re usable. Do the same at least once a year with a critical database, like your billing database, to make sure you can restore, access, and use it. In addition, we recommend conducting a regular review of what you do and don’t back up to ensure you aren’t accidentally missing key information. Finally, we recommend isolating your backups from your network so they can’t be deleted or encrypted in a network breach and remain available for recovery.
- Upgrade your endpoint protection. Modern endpoint protection is more effective than traditional antivirus software against attacks that haven’t been seen before. In addition, it gives analysts the context they need to identify and respond rapidly to attacks that succeed in breaching your defenses. We also recommend that you provide your employees with company-owned computers rather than allowing them to use their own, as this is the best way to ensure that you can enforce and audit your company security policies and solutions.
- Train and test employees about current cyber threats. Phishing and other social engineering attacks continue to be the most common way that criminals capture employees’ login credentials and deploy ransomware – so the best way to reduce your risk is to teach your employees how to recognize malicious links and attachments so they don’t click on them. We recommend an ongoing program that both trains your employees and tests them regularly, a combination that typically reduces phishing entrapments by 90% over the course of a year.
- Implement Mobile Application Management (MAM). Most employees use their personal mobile devices at work, so Mobile Device Management (MDM) limited to company-owned devices isn’t enough to protect you. MAM provides state-of-the-art protection by isolating your company’s information within approved, encrypted, secure applications. This lets employees continue using their own devices safely while allowing you to erase company information, if necessary, without affecting their personal applications and data.
- Keep your system and applications up to date. Review and deploy patches and updates as soon as they come out and phase out any software that can no longer be updated. A study by Automox shows that 60% of enterprise data breaches in 2019 and 2020 were traced back to a missing operating system or application patch. Be cautioned that companies will issue flawed patches from time to time. If you don’t have the scale for proper review, consider using an outsourced firm for patch management.
- Implement Single-Sign-On to extend protection to all cloud services. This makes it easy to implement and roll out MFA everywhere without errors. It also ensures you can easily revoke an employee’s access to data, applications, and the network when they leave your company. Finally, it reduces the number of passwords your employees need to remember.
- Develop and test a security incident response plan. In its “Cost of a Data Breach Report” survey, the Ponemon Institute found that the speed of detecting and containing a data breach is a major factor in controlling its cost. Surveyed organizations that contained a breach in less than 200 days incurred an average of $1.2 million less in costs than organizations that needed more time. The leading cost mitigation factor was the formation of an incident response team, which reduced the average total cost of a data breach by $360,000. The second most effective factor was extensive testing of an incident response plan, which reduced the average total cost by $320,000.
- Implement organization-wide security policies. Not all risks can be managed via technology; some require your employees to take action to ensure business continuity and report security incidents. Rolling out and enforcing security policies helps them understand their roles and responsibilities. In addition, having clear security policies reduces your risk of penalties for negligence or regulatory noncompliance.
Cyber liability insurance has become a necessity, and Xantrion can help you get the best coverage at the best price. If you are interested in reviewing your security program or need help benchmarking what various policies cover and how much they cost, or guidance in choosing the right one for your specific needs, contact your vCIO.